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SUMMARY 


Internet-basepllatforrmsare increasinglysedfor deliveryof servicesbasic 
governance functions or communication. As such, open and secu 
Internet constitutes a significant element in generating growth, 
citizens' empowerment both sides of the Atlantic. However, this 
increasingly undermined by digital risks and vulnerabilities in cybe 
fraud, attacks on critical infrastructure or the use of new technologi 
networks. According to several studies, Europe and the United Sta£ap 
tremendous benefits from digitisation but, in order to secure the poterji 
need to strengthen transatlantic cooperation in building more resilient 
societiesas well as deliveron theircommitmentto enhancing tiebetween 
regulatory, law enforcement, policy and civil society actors. 


This briefingformspart of a broaderresearcfprojecton the perspectives! 
transatlantic cooperation in the US election year, requested by the Chair of tl 
European Parliament's delegation for relations with the United States. 
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Context and the state of play 

In order to protec t the positive impact of the internet on stimulating growth an 
creation, both sides of the Atlantic recognise the urgent need to strengthen the 
cooperation on eradicating safe havens and o n buildin g capacities to improve resilien 
of their systems and societies to criminal networks, cyber espionage and attack 
critical infrastructure (see Figure 1). 


Firstly, improving cybersecuritNpjgure 1 - Percentage of breaches (per threat actor) 
reducing the effects of cybeiu mie 


in the transatlantic area is the 
protecting and further unlockir 
benefits of the digital economy 
Figure 2 and Figure 3). The reli 
of our societies on internet-! 


platform^or deliveryof services 
and communicationsincreases 


vulnerability to digital security 
According*) existin qstudie s,bv 
2025 internet-related technol 
such as mobile internet, the 
Internet of Things and cloud 
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Data sourc e: Ver izon, 2015. 


computing will generate potential economic benef 
between US$8.1 trillion and US$23.2 trillion annually. At the same time, the contribut 
of the internet econ omy to the global economy is between US$2 trillion and US$3 tril 
- up to 20% of this amount (US$400 billion) is lost due to cybercrime. 


Secondly, the tren ds in online demo graphics suggest that the traditional leading role 
the EU and USA have played in shaping global standards and policies will increasingly 
challenged by emerging digital powers in Africa and Asia. The number of internet use 
expected to reach 4.7 billion by 2025, but most of this growth will come, not from the 
transatlantic area, but from developing countries and emerging economies, wh( 
citizens will represent 75% of the world's online population. For instance, while India ' 
experience growth of over 3 000% in the total number of broadband subscriptions 
2025, reaching a total of 700 million people online, over the same period, the 
population in the transatlantic area will reach 565 million people. 


Thirdly, atbo often, regulatory approaches and policies adopted on each side of the 
Atlantic can turn the EU and the USA into each other's 'worst enemy' and distract the 
from the more significant threat posed by criminals, terrorists or other countries. This 
even more so in the post-Snowden world where the calls for a ^European stra 
autonom y' and the US clai ms of digital s upremacy have become dominant in the poli 
discourseThe negotiationsf the four EU-US PassengeName Records(PNR) 

Agreements and the set back to transatlantic data exchanges resulting from the Cour 
Justice ruling in the Schrems Case (i.e. invalidating the EU-US Safe Harbour Agreemei 
teach us that a priori policy coordination and consultation between the EU and the UE 
might be more effective than constantly placing the transatlantic relationship in a poi 
factum crisis management rrTdrale. should not be the faittybdrerime and 
cybersecurity cooperation. Beca use a 'transatlantic digital marketplace' cannot be bi 
on insecure and unstable foundations, these two policy areas cannot be viewed as a ) 
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another 'island of cooperiartitdmd transatlantic sea of initiatives and needs to be 
mainstreamed into regulatory discussions across the board. 

Figure 2 - Share of digitisation potential f3§LisecB(£/J)igital share of economy (%) 
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Figure 4 - Digital trade balance (% of total services trade with the US and the EU-28) 
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Data source for Figures 2, 3 and 4: McKinsey Glob al Institute, 2016. 
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A case for closer transatlantic cooperation 

As the potential gains from attacks increase (be it either for common cyber criminals 
state sponsored groups) and the threshold for access to cyber-tools decreases (prima 
due to the development of the 'malware as a service' business), the threat to the EU 
US grows. This trend is accelerated by limited human, legal and institutional capacity 
some regions of the world - in particular in Africa and eastern Europe, which facilitate 
the emergence of safe havens, from which criminal networks can harm citizen 
businesses operating in the EU anQdheed|lfently, addressing cybercrime and 
buildingmore robustcybersecuritiy essentiafor the economicgrowthin the 
transatlantic area. 


A cleaner and sustainable cyber ecosystem 

One of the key problems in addressing cybersecurity is a limited understanding of glc 
' cyber heal th'or, in other wordsonditions under which malicious activity and risk 
conditions spread in cyberspace. The unhealthy cyber ecosystem facilitates the condi 
of illicit activities in cyberspace (e.g. attacks on critical infrastructure, cybercrime) an 
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complicatesthe response (i.e. Map 1 - Percentage of computers cleaned* 

problems with attribution).By 


drawing the analogy with 
internationaitesponseio global 
health crises like malaria or 
this model points to the import 
of internationalcooperationin 
response (i.e. killing the viri 
cleaning up the infected comp 
and prevention (i.e. securing 
devices and educating users 
number ofia I ware-infected ho 
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in the EU and USA is relatively 
for some countries, given th 
world average is 16.9 compute 
1 000 unique computers on 
malware was detected and 
removed (1.69%) (see Map 1). 
implies that the countries with me 

most infected Computers ma D f ta sour ce: Micro soft, 2015. 
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their piece of malwareonline. 

Access to such computers can be purchased for small amounts: access to US-based h 
costs US$1 000 for 10 000 hosts and to EU-based hosts as little as US$400 for the sa 
number of hos&s. a resulip to 20% US$3 trillion that the internet economy 
contributes to the global economy is lost due to cybercrime (US$400 billion). In the E 
the cost of cybercrime is estimated at 0.41% of GDP whereas in the US it is about 0.6 
That translates into a potential &sssnafiy as 200 000 American and 150 000 
European jobs due to cybercrime. A different study conducted regularly by the Ponerr 
Institute estimates the averagcdxstabf a data breach at US$3.79 million. In 2015, 
the cost for individual countries was between US$146 for Italy and US$217 for the Un 
States (Germany -US$211, France - US$186, UK - US$163). Nonetheless, the cost ha 
grown for all those countries since 2013. 


Bigger and more resilient economic growth 

There is a universal understanding that in creasing internet connectivity contributes t< 
economic growth - between 1 and 2% GDP growth for every 10% of the conn< 
population. At the same time, there is still limited acknowledgment of the fact that cy 
insecuri ty constitu tes an indirect tax on growth. The United States estimates the ar 
impact of international intellectual property (IP) theft to the American economy 
US$300 billion - or 1% of its GDP. The United Kingdom, Netherlands and Germany ha> 
registered similar estimated losses in GDP, which in times of slow economic growth is 
significant. That means that as the size of the 'digital economy cake' gets smaller du< 
data breaches or attacks on critical infrastructure, so does the share of EU and US citi 
who could potentially benefit frcAndb.rding to some scenarios looking into to the 
possible effects of a large-scale cyber-attack on critical infrastructure, a cyber-attack 
the power grid in the north-eastern United States could cause an electricity blackout 
plunges an area covering 15 US states, including New York City and Washington DC, i 
darkness and leaves 93 million people without power. In addition to severe impact on 
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population (e.g. a rise in mortality rates as health and safety systems fail, and disrupi 
to water supplies as electric pumps break down), such an attack would cost the 
economy between US$243 billion and US$1 trillion. 

Potential for convergence and/or joint action 

Several studies demonstrate that the vulnerability to digital risks and total costs it im 
can be reduced, provided certain features are in place, including a national cyberseci 
strategy or an adequate institutional framework. Both the EU and the US cybersecuril 
strategies list stronger relations with international partners as one of the mechanisms 
towards preserving open, free and secure cyberspace. They also recognise engager™ 
with key partners as a way towards promoting their respective political, economic am 
strategic interests. Given the scope of their bilateral relationship, shared values and t 
exposure to similar threats, the EU and the US are natural partners in cooperat 
counteringmlinecriminalnetworksjmproving'esilienceaf their societiesand 
countering the threat posed by third parties. 

Fight against criminal networks online 

The need for transatlantic cooperation and the convergence of interests is clearly visi 
in the case of the fight against cyberAipnrt^016, an international cyber gang 
unleashed a malware known as GozN \gitol( £hi)S$4 million from more than 
24 American and Canadian banks, credit unions and popular e-commerce platforms ir 
just a few days. A week after launching the attack campaign in North America, GozNv 
operators spread a new European configuration that attacked corporate, investm 
banking and consumer accounts held with major banks in Poland dMIPortugal, 
the global financial network used by banks to transfer billions of dollars every day, w; 
also a vict im of cyber-attacks in which the perpetrators had altered SWIFT software ai 
used the system to send fraudulent messages - a process that cost the Banglac 
Central Bank account at the New York Federal Reserve Bank a total of US$81 million. 

Against this backgroifflitMJSlaw enforcementooperatioiin the fightagainst 
cybercrimes addressedn the EU-USWorkin<£roupon Cybercrimfepecific 
commitments in this domain - many of which require cooperation over years-v 
made at the EU-US Justice and Flome Aff airs ministe rial meeting in Riga in June 2015, 
include: facilitating law enforcement exchanges, including but not limited to thi 
pertinent to child sexual abuse offences, travelling child sexual offenders and networ 
intrusion;collaboratiorin fightingand disruptingcybercrimeand enhancing 
cybersecurity including through joint research; and promoting adoption of the Budape 
Convention and training practitioners on its provisions. In addition, representatives fr< 
counterpart US agencies have been placed within Europol's Cybercrime Centre (EC3) 
Eurojust with the aim of supporting operational cooperation. For instance, in April 20] 
a multinational law enforcement operation led by the EC3 and the Joint Cyberc 
Action Taskforce (J-CAT) disrupted the operfe(ti©nBee5one botnet, that had 
installed malware on about 12 000 computers in around 195 countries. Cooper 
between Europol, law enforcement cybercrime units in Member States and technolog 
industry partners operating across the Atlantic helped to dismantle botnet, know 
Zeroaccess, which was responsible for infecting over 2 million computers worldwide c 
had cost online advertisers US$2.7 million eacf&oarpenition between law 
enforcement agencies from across the world, led by the FBI and supported by the EC 
Europolalso ensured the disruption of the Gameover Zeus botnet and the seizure c 
computer servers crucial to the malicious software known as CryptoLocker (Figure 5). 
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Figure 5 - Number of IP addresses infected with Gameover Zeus botnet over time 
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Data sourc e: CvberG reen. 2016. 


Improving resilience of networks 

Beyond the fight against cybercrime, the EU and US have a strong interest in develop 
joint approaches - or at least ensuring a close coordination and sharing best practice: 
with regard to protection and building resilience of their critical infrastructure networl 
(e.g. energy, transportation, financial systems). Given the extent to which the EU and 
are interconnected, the economic and social implications of such attacks on either sic 
of the Atlantic could have a huge impact on the economy, and potentially stability, ac 
the transatlantic area. For instance, the US Industrial Control Systems Cyber Emerger 
Response Team (ICS-CERT) found that a synchronised and coordinated cyber-attack, s 
as the one carried out on a section of the Ukrainian power grid in December 2015, co 
cost anything between US$243 billion and US$1 trillAfctBccksllaois. critical 
infrastructure - albeit on a smaller scale - are nevertheless quite <2ffibfiQ(S'i. 
repor t released by the German Federal Office for Information Security confirmed that 
German steel mill suffered 'massive' damage as a result of a cyber-attack manipulatii 
and disrupti ng control sy stems to such a degree that a blast furnace could not be pro 
shut down. In April 2016, multiple forms of malware were found in a German nuclear 
energy pla nt in Gundremmingen. Even though the types of malware discovered suggi 
an accidental infection rather than a targeted attack, the news reaffirmed a persisten 
vulnerability of critical infrastructure networks. 


Given that there is almost universal agreement on the growing risk of cyber-attacks o 
critical infrastructure, the EU and US need to enhance their cooperation in preparing 1 
a transatlan tic 'cyber K atrina'. Citohi©iBll^,US Working Group on Cybersecurity 
provides a setting for discussions along several strands, including those focused on p 
private partnerships and incident management, but it is clear that this dialogue woul< 
benefit from an additional political impetus. As part of the effort to improve the resilie 
of their networks, over 60 participants from 16 EU Member States and the US contrib 
to the first joint EU-US cyber exercise, 'Cyber Atlantic 2011' facilitated by the Europe* 
Network and Information Security Agency (ENISA) and Department of Flomeland Seci 
(DHS). The objectives of the exercise included improving cyber-crisis managers 
cooperation, identifying the procedures and mechanisms employed during a cyber-cri 
and exchanging good practices on approaches to international cooperation. Since 20'. 
EU Member States and the US have participated in the NATO cyber defence exercises 
'Locked Shields'. 
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Countering threats to national security 

Due to the fact that criminal networks often operate in several jurisdictions, or receiv 
support from third country goverranmdnfeat some cyber-attacks might pose a 
serious threat to a state's security - potentially resulting in a mi-lifeary conflict 
transatlantic discussion about secure and safe cyberspace necessarily involves be 
diplomats and military staff. Several instances illustrate that this is indeed the case. F 
example, in November 2015 air traffic control systems across much of Sweder 
unavailable, resulting in the cancellation of multiple domestic and international flight: 
the airports of Arlanda, Landvetter and B&wenha i reporte dly suspected that a 
hacker group linked to Russian military intelligence service (GRU) was responsible for 
attack and passed this information on to NATO members in neighbouring countries si 
as Norway and Denmark. Another example is a growing cyber th reat po sed by terrori: 
group s. Even though to date the attacks by jihadi groups such as ISIL/Da'esh have be 
limited to compromising social media accounts or defacing websites, the announcem 
of a new group called the 'United Cyber Caliphate' (following the formal merger of se' 
groups) raises new concerns regarding ISIL/Da'esh’s cyber capabilities. In both cases, 
need to think in broad national security terms (something which law enforcement anc 
critical infrastructure operators are not always used to doing), and a possible respons 
going beyond law enforcement, technical measures or national borders (which 
actors are not empowered to do), brings diplomats and 'cyber soldiers' into the pictui 

With regard to international security, the EU and US seek greater stability and promol 
norms of responsible state behaviour in cyberspace. The basis for EU-US cooperation 
this respect is provided in th e report by the United Nations Governmental G 
Experts (UN GGE), published in June 2015, to which both sides have actively contribi 
The report sets out the norms regulating state behaviour. These forbid states 
knowingly allow their territory to be used for cyberattacks; to conduct or knov 
support attacks that damage critical infrastructure; to conduct or knowingly su| 
activity intended to harm the information systems of another state's emergency resp 
teams (CERT/CSIRTS), and to use their own teams for malicious international activity, 
efforts aimed at promoting the implementation of these norms globally and th 
regional organisations Q<5.§E, ASEAN Regional Forum, Organization of Ame 
States) offer a possibility to streamline EU-US cooperation in this respect. The 
Statemen tlopte d in 2015 is seen as a significant step towards achieving globs 
agreement on some of these norms. However, their voluntary nature means that furt 
diplomatic efforts are likely to be needed in order to find a consensus with countries I 
China and Russia on the practical steps towards their implementation. The EU and US 
also at the forefront of the discussion about confidence-building measures that would 
minimis^he riskof misunderstandingisd helpavoidescalatioiand conflictin 
cyberspace. To that effect, both sides work closely in the framework of the Organisati 
for Security Cooperation in Europe (06€Fa)greement between the EU Computer 
Emergency Response Team (CERT-EU) and the NATO Cyber Incident Response 
(NCIRC), signed in February 2016, provides an additional opportunity to strenc 
cooperation between the EU and the US, but the details of its implementation still ne< 
to be worked out. 

Looking ahead: Potential projects and challenges 

As some of the high level attacks in 2015 have demonstrated, the growing digital risk 
the transatlantic economy and security provide strong incentives for closer EU- 
cooperation on enhancing cybersecurity and fighting bytartdiftrae, with 
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increasing regulatory and legislative activity in the field of cybersecurity, abser 
cooperation between legislators on both sides of the Atlantic could have a sign 
negative impact - and a potential cost - as it is likely to lead to divergent regulations 
standards, including on encryption or data (Motteatioaitlantic level, a wide 
spectrumof cyber-relatecfesuesis pursued througfieEU-USCybeiDialogue 
establishe d in the aftermath of the EU-US SumnSfevieralMeetings of the 
Dialogudo date have confirmethe closealignmenbn manyissues,including 
cybercrime, building resilience, countering threats posed by third parties, eradicating 
havens in cyberspace, and protection of human rights online and offline. 

While the European and American interests in this policy area are to a large 
overlapping - with several initiatives already underway - there is a clear need for a 'r 
map' that would provide the ongoing efforts with more structure and dynamism. Th 
following functional blocks of cooperation, to be pursued by all groups of actors invoh 
could provide the framework for future initiatives and projects across the various polii 
areas (for a detailed description of actors and actions by policy area, see the Annex). 

• Improved information sharing and situation awareness through joint identificat 
and/or exchange of best practices - including on cooperation with private sector ar 
other stakeholders; joint threat analysis and exchange of information about t 
vectorsand possiblemitigatiortechniquescegulardiscussionabout planned 
legislation or legislation in progress; regular exchanges aimed at identificatio 
opportunities/'low-hanging fruits' and potential obstacles to cooperation. 

• Strengthening joint response capacities and operational cooperation by promoting 
better understanding of the emerging Critical Information Infrastructure lands 
(e.g. smart grids, botnets, cloud computing); developing good practices (e.g. 
approaches to data breach notifications), and joint exercises. This implies a 
cooperation with the private sector, which is often the owner of the infrastructure c 
the critical information, and whose approach and interests are not always aligned v 
those of the government (e.g. the ongoing debate about encryption and backdoors 
At the international level, such projects could focus on building capacities in 
countries, in particular through the promotion of adequate legal frameworks 
compliant with the provisions of the Council of Europe Convention on Cybercrime), 
setting up institutions (e.g. Computer Emergency Response Teams), and crea 
policy frameworks (e.g. national cybersecurity strategies). 

• Improving across-the-board awareness of digital threats and vulnerabilities through 
joint awareness-raising campaigns (such as the existing Cyber Security Aware 
Month,'Stop.Think.Connect') as well as political and institutional dialogues. In th 
sense, the role of the existingswelmuas, the Transatlantic Business Dialogue 
(TABD), Transatlantic Consumers' Dialogue (TACD) and Transatlantic Policy Network 
(TPN), could be re-assessed. 

• Building trust and confidence - both in the digital environment and with regard to f 
behaviour - through more transparency providing space for genuine multi-stakehol 
consultatiorprocesse$nvolvincgovernment$rivatesectorand civil society; 
developing a common vocabulary related to cybersecurity in order to avoid the risk 
misunderstanding and misperceptions fbsgfield of cyber insur ance policies), 

and joint exercises which allow for a better understanding of commonalities 
differences. At the international level this would imply promoting (through worksho 
seminarsjoint researchprojects)confidence-buildiingeasuresnd normsof 
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responsible behaviour in cyberspace, based on the measures proposed by the OSC 
and the UN GGE 2015 report. 

Despite substantial evidence that closer EU-US cooperation in the field of cybersecuri 
and the fight against cybercrime is a necessity, one cannot ignore the simple fact tha 
two sides of the Atlantic are also com petitors on global markets. Consequently, there 
a substantial risk that transatlantic cooperation in this policy area becomes tr£ 
between calls for digital protectionism in Europe and a conviction of digital supremac 
the United States. For instance, President Barack Obama described the EU's position 
data protection in the US as intended to 'carve out their [the EU's] commercial intere: 
faced with the EU's own incapacity to compete with US-based companies. Sen 
Wyden (D-OR ) ca lled the Court of Justice ruling in the Safe Harbour case 'open seasoi 
on American businesses. The European Union's dependence on third parties' software 
and hardware (see Figure 4) has led some countries to a belief that Europe urgently n 
to developits own 'digitalstrategicautonomy'characterisedotablyby the 
development of a European digital security industry, while encouraging design 
production in Europe, and the encouragement of the emergence of a robust Europear 
certificatioiframeworkto generateinternationallyompetitiv£uropeandigital 
champions. In an effort to protect European digital space, there are also voices callinc 
the development of an alternative approach to the global 'free flow of data' which wo 
support the ability of the EU and Member States to locate in Europe data requirin 
certain level of protection, as well as promote the EU's vision of digital security and v 
in international negotiations on cyberspace. The latter point might be particula 
problematic given the tendency in the United States, but also in some Member States 
overly securitise the digital space. 
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Annex - Building blocks for cooperation and possible projects 
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